Web security 101 (or: how to hack security conferences)

The vulnerable nature of Web applications was found out to apply even
to security conferences.

After finding a severe security issue in a particular conference's
Web system, it was discovered that the issue in fact wasn't local
to that conference. Moreover, while investigating the issue, other
security issues were found, being a mix of programming choices/errors, insecure application defaults, and server configuration issues.

What followed was a journey into the world of Web security: HTTP sessions and its management, cookies, cookie sniffing possibilities, cookie manipulation and replaying, HTTPS failures, session hijacking and fixation scenarios, and the combined knowledge of the above: the potential of becoming admin in several conferences' Web systems.

This talk will cover the aspects above, include a practical demonstration of them, and explain how things were (hopefully?) fixed. It also includes some thoughts on secure programming and risks involved in code forking.